ClawHub

Dont Hack Me

v1.0.1

別駭我!基本安全檢測 — Security self-check for Clawdbot/Moltbot. Run a quick audit of your clawdbot.json to catch dangerous misconfigurations — exposed gateway, missing auth, open DM policy, weak tokens, loose file permissions. Auto-fix included. Invoke: "run a security check" or "幫我做安全檢查".

30· 4.9k·28 current·29 all-time
by@peterokase42
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim a local config audit + auto-fix for Clawdbot/Moltbot; SKILL.md only reads ~/.clawdbot/clawdbot.json, checks specific keys, reports, and offers edits. No unrelated credentials, binaries, or external services are requested.
Instruction Scope
Instructions explicitly require reading the config file, running a stat command to get permissions, scanning JSON keys, and writing edits back to ~/.clawdbot/clawdbot.json. Those actions are expected for a config-audit/fixer, but they are powerful (can modify your agent config). The token-generation step is underspecified (how to generate/store the token), so review generated tokens if you accept fixes.
Install Mechanism
No install spec and no code files — instruction-only skill. This has the lowest install risk (nothing is downloaded or written by an installer).
Credentials
No environment variables, credentials, or config paths beyond the single expected path (~/.clawdbot/clawdbot.json) are requested. The scope of access aligns with the stated task.
Persistence & Privilege
always:false and user-invocable — good. The skill will edit the user's config when the user consents; that is appropriate for a fixer but is a privileged operation. Also note the platform permits autonomous invocation by default; an autonomous agent could accept fixes unless you restrict autonomy or the skill's invocation.
Assessment
This skill is coherent for a local Clawdbot config auditor/fixer, but it will read and can modify ~/.clawdbot/clawdbot.json. Before installing or running it: (1) make a backup of ~/.clawdbot/clawdbot.json, (2) run the check once and review the report (do not auto-apply changes until you are comfortable), (3) if it offers to generate a gateway token, verify how it creates/stores that token and rotate it if unsure, (4) be aware that the skill asks for confirmation before fixing, but if you allow autonomous agent actions on the platform an agent could accept fixes without an explicit interactive user — disable autonomy or monitor the first run if you want full control, and (5) consider reviewing the skill's source (homepage) if you need higher assurance.

Like a lobster shell, security has layers — review code before you run it.

latestvk978s74g9c24g3xw96phy9p0nn805z1k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔒 Clawdis

Comments